Set correct auth settings for all actions

A test has been added to RequestHandlerTest, making sure that, while we merely log errors for the time being, the correct dummy AuthResult is being created. Most actions use the default settings, which have been changed to INTERNAL / APP / IGNORED. Actions with non-default settings are: INTERNAL/NONE/PUBLIC (non-auth public endpoints) CheckApiAction WhoisHttpServer Rdap*Action INTERNAL,API/APP/ADMIN (things currently protected by web.xml) EppTlsAction EppToolAction CreateGroupsAction CreatePremiumListAction DeleteEntityAction List*sAction UpdatePremiumListAction VerifyOteAction WhoisServer INTERNAL,API,LEGACY/USER/PUBLIC (registrar console) RegistrarPaymentAction RegistrarPaymentSetupAction RegistrarSettingsAction EppConsoleAction INTERNAL,API,LEGACY/NONE/PUBLIC (registrar console main page) ConsoleUiAction ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=149761652
2025-05-13 07:57:13 +02:00 · 2017-03-10 08:47:52 -08:00 · 2017-03-10 08:47:52 -08:00 · 1f000b94e6
commit 1f000b94e6
parent f5e76868f0
38 changed files with 450 additions and 133 deletions
--- a/java/google/registry/ui/server/registrar/BUILD
+++ b/java/google/registry/ui/server/registrar/BUILD
@ -18,6 +18,7 @@ java_library(
        "//java/google/registry/flows",
        "//java/google/registry/model",
        "//java/google/registry/request",
+        "//java/google/registry/request/auth",
        "//java/google/registry/security",
        "//java/google/registry/ui/forms",
        "//java/google/registry/ui/server",
--- a/java/google/registry/ui/server/registrar/ConsoleUiAction.java
+++ b/java/google/registry/ui/server/registrar/ConsoleUiAction.java
@ -31,6 +31,8 @@ import google.registry.flows.EppConsoleAction;
 import google.registry.model.registrar.Registrar;
 import google.registry.request.Action;
 import google.registry.request.Response;
+import google.registry.request.auth.Auth;
+import google.registry.request.auth.AuthLevel;
 import google.registry.security.XsrfTokenManager;
 import google.registry.ui.server.SoyTemplateUtils;
 import google.registry.ui.soy.registrar.ConsoleSoyInfo;
@ -38,7 +40,17 @@ import javax.inject.Inject;
 import javax.servlet.http.HttpServletRequest;

 /** Action that serves Registrar Console single HTML page (SPA). */
-@Action(path = ConsoleUiAction.PATH, requireLogin = true, xsrfProtection = false)
+@Action(
+  path = ConsoleUiAction.PATH,
+  requireLogin = true,
+  xsrfProtection = false,
+  auth =
+      @Auth(
+        methods = {Auth.AuthMethod.INTERNAL, Auth.AuthMethod.API, Auth.AuthMethod.LEGACY},
+        minimumLevel = AuthLevel.NONE,
+        userPolicy = Auth.UserPolicy.PUBLIC
+      )
+)
 public final class ConsoleUiAction implements Runnable {

  public static final String PATH = "/registrar";
--- a/java/google/registry/ui/server/registrar/RegistrarPaymentAction.java
+++ b/java/google/registry/ui/server/registrar/RegistrarPaymentAction.java
@ -35,6 +35,8 @@ import google.registry.model.registrar.Registrar;
 import google.registry.request.Action;
 import google.registry.request.JsonActionRunner;
 import google.registry.request.JsonActionRunner.JsonAction;
+import google.registry.request.auth.Auth;
+import google.registry.request.auth.AuthLevel;
 import google.registry.security.JsonResponseHelper;
 import google.registry.ui.forms.FormField;
 import google.registry.ui.forms.FormFieldException;
@ -56,15 +58,16 @@ import org.joda.money.Money;
 * <p>The request payload is a JSON object with the following fields:
 *
 * <dl>
- * <dt>amount
- * <dd>String containing a fixed point value representing the amount of money the registrar
- *     customer wishes to send the registry. This amount is arbitrary and entered manually by the
- *     customer in the payment form, as there is currently no integration with the billing system.
- * <dt>currency
- * <dd>String containing a three letter ISO currency code, which is used to look up the Braintree
- *     merchant account ID to which payment should be posted.
- * <dt>paymentMethodNonce
- * <dd>UUID nonce string supplied by the Braintree JS SDK representing the selected payment method.
+ *   <dt>amount
+ *   <dd>String containing a fixed point value representing the amount of money the registrar
+ *       customer wishes to send the registry. This amount is arbitrary and entered manually by the
+ *       customer in the payment form, as there is currently no integration with the billing system.
+ *   <dt>currency
+ *   <dd>String containing a three letter ISO currency code, which is used to look up the Braintree
+ *       merchant account ID to which payment should be posted.
+ *   <dt>paymentMethodNonce
+ *   <dd>UUID nonce string supplied by the Braintree JS SDK representing the selected payment
+ *       method.
 * </dl>
 *
 * <h3>Response Object</h3>
@ -73,28 +76,35 @@ import org.joda.money.Money;
 * which, if successful, will contain a single result object with the following fields:
 *
 * <dl>
- * <dt>id
- * <dd>String containing transaction ID returned by Braintree gateway.
- * <dt>formattedAmount
- * <dd>String containing amount paid, which can be displayed to the customer on a success page.
+ *   <dt>id
+ *   <dd>String containing transaction ID returned by Braintree gateway.
+ *   <dt>formattedAmount
+ *   <dd>String containing amount paid, which can be displayed to the customer on a success page.
 * </dl>
 *
- * <p><b>Note:</b> These definitions corresponds to Closure Compiler extern
- * {@code registry.rpc.Payment} which must be updated should these definitions change.
+ * <p><b>Note:</b> These definitions corresponds to Closure Compiler extern {@code
+ * registry.rpc.Payment} which must be updated should these definitions change.
 *
 * <h3>PCI Compliance</h3>
 *
- * <p>The request object will not contain credit card information, but rather a
- * {@code payment_method_nonce} field that's populated by the Braintree JS SDK iframe.
+ * <p>The request object will not contain credit card information, but rather a {@code
+ * payment_method_nonce} field that's populated by the Braintree JS SDK iframe.
 *
 * @see RegistrarPaymentSetupAction
 */
@Action(
-    path = "/registrar-payment",
-    method = Action.Method.POST,
-    xsrfProtection = true,
-    xsrfScope = "console",
-    requireLogin = true)
+  path = "/registrar-payment",
+  method = Action.Method.POST,
+  xsrfProtection = true,
+  xsrfScope = "console",
+  requireLogin = true,
+  auth =
+      @Auth(
+        methods = {Auth.AuthMethod.INTERNAL, Auth.AuthMethod.API, Auth.AuthMethod.LEGACY},
+        minimumLevel = AuthLevel.USER,
+        userPolicy = Auth.UserPolicy.PUBLIC
+      )
+)
 public final class RegistrarPaymentAction implements Runnable, JsonAction {

  private static final FormattingLogger logger = FormattingLogger.getLoggerForCallerClass();
--- a/java/google/registry/ui/server/registrar/RegistrarPaymentSetupAction.java
+++ b/java/google/registry/ui/server/registrar/RegistrarPaymentSetupAction.java
@ -28,6 +28,8 @@ import google.registry.model.registrar.Registrar;
 import google.registry.request.Action;
 import google.registry.request.JsonActionRunner;
 import google.registry.request.JsonActionRunner.JsonAction;
+import google.registry.request.auth.Auth;
+import google.registry.request.auth.AuthLevel;
 import google.registry.security.JsonResponseHelper;
 import java.util.Map;
 import javax.inject.Inject;
@ -46,29 +48,38 @@ import org.joda.money.CurrencyUnit;
 * containing a single result object with the following fields:
 *
 * <dl>
- * <dt>brainframe
- * <dd>URL for iframe that loads Braintree payment method selector.
- * <dt>token
- * <dd>Nonce string obtained from the Braintree API which is needed by the Braintree JS SDK.
- * <dt>currencies
- * <dd>Array of strings, each containing a three letter currency code, which should be displayed to
- *     the customer in a drop-down field. This will be all currencies for which a Braintree merchant
- *     account exists. A currency will even be displayed if no TLD is enabled on the customer
- *     account that bills in that currency.
+ *   <dt>brainframe
+ *   <dd>URL for iframe that loads Braintree payment method selector.
+ *   <dt>token
+ *   <dd>Nonce string obtained from the Braintree API which is needed by the Braintree JS SDK.
+ *   <dt>currencies
+ *   <dd>Array of strings, each containing a three letter currency code, which should be displayed
+ *       to the customer in a drop-down field. This will be all currencies for which a Braintree
+ *       merchant account exists. A currency will even be displayed if no TLD is enabled on the
+ *       customer account that bills in that currency.
 * </dl>
 *
- * <p><b>Note:</b> These definitions corresponds to Closure Compiler extern
- * {@code registry.rpc.PaymentSetup} which must be updated should these definitions change.
+ * <p><b>Note:</b> These definitions corresponds to Closure Compiler extern {@code
+ * registry.rpc.PaymentSetup} which must be updated should these definitions change.
 *
 * @see RegistrarPaymentAction
- * @see <a href="https://developers.braintreepayments.com/start/hello-server/java#generate-a-client-token">Generate a client token</a>
+ * @see <a
+ *     href="https://developers.braintreepayments.com/start/hello-server/java#generate-a-client-token">Generate
+ *     a client token</a>
 */
@Action(
-    path = "/registrar-payment-setup",
-    method = Action.Method.POST,
-    xsrfProtection = true,
-    xsrfScope = "console",
-    requireLogin = true)
+  path = "/registrar-payment-setup",
+  method = Action.Method.POST,
+  xsrfProtection = true,
+  xsrfScope = "console",
+  requireLogin = true,
+  auth =
+      @Auth(
+        methods = {Auth.AuthMethod.INTERNAL, Auth.AuthMethod.API, Auth.AuthMethod.LEGACY},
+        minimumLevel = AuthLevel.USER,
+        userPolicy = Auth.UserPolicy.PUBLIC
+      )
+)
 public final class RegistrarPaymentSetupAction implements Runnable, JsonAction {

  @Inject BraintreeGateway braintreeGateway;
--- a/java/google/registry/ui/server/registrar/RegistrarSettingsAction.java
+++ b/java/google/registry/ui/server/registrar/RegistrarSettingsAction.java
@ -38,6 +38,8 @@ import google.registry.model.registrar.RegistrarContact;
 import google.registry.request.Action;
 import google.registry.request.HttpException.BadRequestException;
 import google.registry.request.JsonActionRunner;
+import google.registry.request.auth.Auth;
+import google.registry.request.auth.AuthLevel;
 import google.registry.security.JsonResponseHelper;
 import google.registry.ui.forms.FormException;
 import google.registry.ui.forms.FormFieldException;
@ -57,11 +59,18 @@ import javax.servlet.http.HttpServletRequest;
 * preserve history.
 */
@Action(
-    path = RegistrarSettingsAction.PATH,
-    requireLogin = true,
-    xsrfProtection = true,
-    xsrfScope = "console",
-    method = Action.Method.POST)
+  path = RegistrarSettingsAction.PATH,
+  requireLogin = true,
+  xsrfProtection = true,
+  xsrfScope = "console",
+  method = Action.Method.POST,
+  auth =
+      @Auth(
+        methods = {Auth.AuthMethod.INTERNAL, Auth.AuthMethod.API, Auth.AuthMethod.LEGACY},
+        minimumLevel = AuthLevel.USER,
+        userPolicy = Auth.UserPolicy.PUBLIC
+      )
+)
 public class RegistrarSettingsAction implements Runnable, JsonActionRunner.JsonAction {

  public static final String PATH = "/registrar-settings";